Add pkg/cosign.ObsoletePayload

Signed-off-by: Miloslav Trmač <[email protected]>

pkg/cosign/obsolete.go

@@ -0,0 +1,22 @@
+package cosign
+
+import (
+	"context"
+
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/sigstore/cosign/v2/internal/ui"
+	"github.com/sigstore/sigstore/pkg/signature/payload"
+)
+
+// ObsoletePayload returns the implied payload that some commands expect to match
+// the signature if no payload is provided by the user.
+// DO NOT ADD ANY NEW CALLERS OF THIS.
+func ObsoletePayload(ctx context.Context, digestedImage name.Digest) ([]byte, error) {
+	blob, err := (&payload.Cosign{Image: digestedImage}).MarshalJSON()
+	if err != nil {
+		return nil, err
+	}
+	ui.Warnf(ctx, "using obsolete implied signature payload data (with digested reference %s); specify it explicitly with --payload instead",
+		digestedImage.Name())
+	return blob, nil
+}

pkg/cosign/obsolete_test.go

@@ -0,0 +1,26 @@
+package cosign
+
+import (
+	"context"
+	"testing"
+
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/sigstore/cosign/v2/internal/ui"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestObsoletePayload(t *testing.T) {
+	// This looks like a smoke test, but the property of generating _exactly_ the same string as previous versions is
+	// essential.
+	digestedImg, err := name.NewDigest("docker.io/namespace/image@sha256:4aa3054270f7a70b4528f2064ee90961788e1e1518703592ae4463de3b889dec")
+	require.NoError(t, err)
+	var res []byte
+	stderr := ui.RunWithTestCtx(func(ctx context.Context, write ui.WriteFunc) {
+		r, err := ObsoletePayload(ctx, digestedImg)
+		require.NoError(t, err)
+		res = r
+	})
+	assert.Contains(t, stderr, "obsolete implied signature payload")
+	assert.Equal(t, []byte(`{"critical":{"identity":{"docker-reference":"index.docker.io/namespace/image"},"image":{"docker-manifest-digest":"sha256:4aa3054270f7a70b4528f2064ee90961788e1e1518703592ae4463de3b889dec"},"type":"cosign container image signature"},"optional":null}`), res)
+}